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DirXML Driver for Exchange Implementation Guide 


About This Guide 


This guide explains how to install and configure the DirXML® Driver for Microsoft* Exchange 
5.5: 


The guide contains the following sections: 
+ Chapter 1, “Overview,” on page 9 
+ Chapter 3, “Upgrading,” on page 25 
+ Chapter 2, “Installing and Configuring the Driver,” on page 13 
+ Chapter 4, “Customizing the DirXML Driver for Exchange,” on page 29 
+ Chapter 5, “Troubleshooting the Driver,” on page 37 
* Appendix A, "Documentation Updates,” on page 41 


Additional Documentation 


For information on Nsure™ Identity Manager, see the Identity Manager Documentation Web site 
(http://www.novell.com/documentation/lg/dirxm120). 


For information on other DirXML drivers, see Driver Implementation Guides (http:// 
www.novell.com/documentation/lg/dirxmldrivers/index.html). 


Documentation Updates 


For the most recent version of this document, see DirXML Driver for Exchange in the Driver 
Implementation Guides (http://www.novell.com/documentation/lg/dirxmldrivers/index.html) 
section. 


Documentation Conventions 


In this documentation, a greater-than symbol (>) is used to separate actions within a step and items 
within a cross-reference path. 


A trademark symbol a TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party 
trademark. 


User Comments 


We want to hear your comments and suggestions about this manual and the other documentation 
included with Identity Manager. Send e-mail to proddoc@novell.com. 
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New Feature 


Driver Features 


Overview 


The DirXML* Driver for Exchange is a connector that synchronizes data between Novell® 
eDirectory™ and Microsoft Exchange. This synchronization makes it possible for Exchange 
accounts to be managed in eDirectory. You no longer need to manage a user’s eDirectory and 
Exchange accounts separately. The DirXML Driver for Exchange increases the efficiency of your 
network management by allowing you to manage eDirectory and Exchange accounts as a single 
account in a single management tool. 


The DirXML Driver for Exchange runs on Windows” NT", 


The driver supports only the Distribution List, Remote, and Mailbox classes. 


This section provides information on the following: 


* 
* 
* 


+ 


S 


“New Features” on page 9 

“Driver Concepts” on page 10 

“Benefits” on page 10 

“Required Skills” on page 11 

“Adding to the Identity Manager Basics” on page 11 


“Driver Features” on page 9 


“Identity Manager Features” on page 10 


The new AuthoritativeBind parameter lets you use an authoritative LDAP bind instead of an 
anonymous LDAP bind. See “Using Authoritative Bind” on page 33. 


The Assoc-NT-Account attribute can now be used for queries into Exchange. 


Instead of preferredName, a new attribute named DirXML-NTAccountName now is used in 
eDirectory. See “Integrating the DirXML Driver for Exchange and the DirXML Driver for NT 
Domain” on page 29. 


The preferredName attribute can still be used. 
Role-Based Entitlements features are supported. You can choose this option during import. 


Using Role-Based Entitlements is a design decision. Before choosing this option, see “Using 
Role-Based Entitlements” in Novell Nsure Identity Manager 2 Administration Guide. 


The driver can be customized to provide a driver heartbeat. See “Adding Driver Heartbeat” in 
the Novell Nsure Identity Manager 2 Administration Guide. 
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Identity Manager Features 


For information on new features in Nsure™ Identity Manager, see "What's New in Identity 
Manager 2?” in the Novell Nsure Identity Manager 2 Administration Guide. 


Driver Concepts 


The DirXML Driver for Exchange is a bidirectional synchronization connector between Microsoft 
Exchange and eDirectory. This connector uses XML to convert Exchange objects to eDirectory 
objects and vice versa. 


eDirectory acts as a hub, with other applications and directories publishing their changes to it. 
eDirectory then sends changes to the applications and directories that have subscribed for them. 
This results in two main flows of data: 


+ The Publisher channel 


* The Subscriber channel 


Publisher Channel 


The Publisher channel reads information from your Exchange Server and submits that information 
to eDirectory via the DirXML engine. 


By using the poll parameters, the Publisher channel polls the Exchange server for changes to 
objects. If the DirXML Driver for Exchange detects changes in Exchange, the data between 
Exchange and eDirectory is synchronized. If the change was caused by data sent to Exchange from 
the Subscriber, no synchronization is necessary. 


Subscriber Channel 


Benefits 


The Subscriber channel watches for additions and modifications to eDirectory objects and creates 
changes on your Exchange server via the DirXML engine. 


The Subscriber channel synchronizes changes made in eDirectory with data on the Exchange 
server. If an associated object is changed in eDirectory, the Subscriber channel updates the 
Exchange with the new information. 


You can use the driver to automate and maintain business processes in the following ways: 
* Automatically create eDirectory objects from Exchange objects 
+ Synchronize bidirectional data between Exchange and eDirectory 
* Maintain accurate and consistent eDirectory IDs 


* Enable integration between Exchange and multiple applications (for example, eDirectory, 
Lotus Notes*, Netscape*, SAP*, and Active Directory*) by using Identity Manager and 
eDirectory 


* Manage Exchange distribution lists and remote objects 


You can configure the DirXML Driver for Exchange to enhance your organization’s processes by 
using custom business logic in the form of policies. Before installing and configuring the driver, 
you evaluate and define those processes. During installation, you configure the driver’s policies to 
automate these processes wherever possible. 
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Required Skills 


Implementing the driver requires expertise in Exchange and Identity Manager. 


Expertise in Exchange 


This document assumes that your expertise in Exchange is equivalent to one of the following: 
* An Exchange developer 
* An Exchange administrator 
* An application designer 
* An upgrade administrator 


* A database administrator 


Expertise in Identity Manager 


This document assumes that your expertise in Identity Manager is equivalent to an eDirectory 
administrator or an Identity Manager administrator. 


Adding to the Identity Manager Basics 


The following Identity Manager functionality is important to the driver: 
+ “Event Processing Support” on page 11 
+ “Policies” on page 12 


+ “Associations” on page 12 


Event Processing Support 


The driver supports the following events on the Publisher and Subscriber channels. 


Functionality Event 


Publisher Add 
Modify 
Delete 
Rename 
Move 


Subscriber Add 
Modify 
Delete 
Rename 


The driver also supports a defined query capability so that Identity Manager can query the 
synchronized application or directory. 


Overview 
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Policies 


Associations 


Policies are used to control the synchronization of the driver with eDirectory and the application, 
database, or directory. Policies help Identity Manager transform an event on a channel input into 
a set of commands on the channel output. 


You can configure policies by using the iManager plug-ins for Identity Manager. The sample 
driver configuration includes the following set of policies: 


Policy Description 

Placement Operates on both the Publisher and Subscriber channels 
Matching Operates on both the Publisher and Subscriber channels 
Mapping Configured on the Driver object 

Input Transform Configured on the Driver object 

Output Transform Configured on the Driver object 

Create Found on the Publisher and Subscriber channels 

Event Transform Found on the Publisher channel 

Command Transform Found on the Publisher channel 


For more information about creating your own policies, see the Novell Nsure Identity Manager 2 
Administration Guide. 


The driver uses the Exchange DN for associations. A unique ID or unique user name is created for 
records relating to Exchange objects. However, Identity Manager does not need to share these 
same unique IDs. 


The association attribute received from Exchange is unique to the Exchange application, based on 
each driver for Exchange that you install and enable. If other drivers are installed, they use an 
association specific to that application. The association attribute is multivalued. Therefore, if 
Identity Manager is being used to connect multiple applications, all of their associations can be 
stored on this attribute. 


The unique ID association links an object in Exchange to its associated object in eDirectory. This 
association allows the driver to perform subsequent tasks on the appropriate object. 


The Association field is stored on the eDirectory object on the DirXML property page. 
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Installing and Configuring the Driver 


This section provides information on the following: 
+ “Key Terms” on page 13 
+ “Prerequisites” on page 13 
+ “Installing the Driver Shim for Exchange” on page 14 


+ “Post-Installation Tasks” on page 16 


Key Terms 


Driver shim. A dynamically linked library (Exchange55Shim.dll) loaded directly by DirXML® 
or by the remote loader. Collects the changes to be sent from Exchange to eDirectory, 
communicates changes from eDirectory to Exchange, and operates as the link that connects 
eDirectory and Exchange. 


Driver. A set of policies, filters, and objects that act as the connector between eDirectory and the 
driver shim. 


This software enables an application to publish events from an application to the directory, enables 
an application to subscribe to events from the directory, and synchronizes data between the 
directory and applications. 


To establish a connection between the DirXML engine and Exchange, you specify the driver's 
configuration and connection parameters, policies, and filter values. 


Driver object. An object in eDirectory. 


The Driver object displays information about the driver’s configuration, policies, and filters. This 
object enables you to manage the driver and provide eDirectory management of the driver shim 
parameters. 


Prerequisites 


This section lists the software and hardware requirements for running the DirXML® Driver for 
Exchange. 


Software Requirements 
O Novell® Nsure™ Identity Manager 2 or later, and its prerequisites 
Q Windows NT 4 with the latest patches and service packs (SP6a or later) 


U Exchange 5.5 with Service Pack 4 or later and the latest patches 


NOTE: If the Exchange Server doesn't have the latest patches, an Entitlement Policy won't correctly 
assign membership in an Exchange distribution list. Also, proxy addresses are handled improperly 
because of a defect in Exchange. 


Installing and Configuring the Driver 13 


Hardware Requirements 


Q 128 MB RAM (256 MB or more recommended) 


Installing the Driver Shim for Exchange 


14 


You can install the Driver for Exchange (along with other DirXML drivers) at the same time that 
the DirXML engine is installed. See “Installation” in the Novell Nsure Identity Manager 2 
Administration Guide. 


If you didn’t install this driver shim when you installed the DirXML engine, you can install it later. 
To do this, use the Identity Manager CD/download image instead of the Create Driver option in 
Novell iManager. Then use the Create Driver option or Import Driver option to configure the 
driver. 


To install the driver after the DirXML engine is installed: 

1 From the CD/download image, run the installation program. 
If the installation program doesn’t autolaunch, you can run \nt\install.exe. 

2 Inthe Welcome dialog box, click Next, then accept the license agreement. 

3 In the first DirXML Overview dialog box, review information, then click Next. 
The dialog box provides information on the following: 
+ A DirXML server 
+ A DirXML connected server system 

4 In the second DirXML Overview dialog box, review the information, then click Next. 
The dialog box provides information on the following: 
+ A Web-based administration server 
* DirXML utilities 


5 In the Please Select the Components to Install dialog box, select only DirXML Server, then 
click Next. 
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Figure 1 The DirXML Server check box 


[EJ pirxmL Install 
DirXML™ 


Please select the components to install: 


RI 


DirXML Server 


G DirXML Web Components 


[ Utitities 
Description 
Installs utilities and system components for your connected Select All 
systems. 
Clear All 
| Cancel | | Help | | < Back | | Next > | 


6 In the Select Drivers for Engine Install dialog box, select only Exchange, then click Next. 


Figure 2 The Exchange check box 


A 
li : Novell. 


NEE Drivers for Engine Install 


Please select the components to install: 


-DirXML Engine 
O DirXML Engine 
A] 
DirXML Drivers 
O NT Domain 
= TT eDirectory 
| Active Dire) 
— | Lotus Notes 
|] eDirectory mk 
ven _] Exchange 
| Lotus Note|| 
om J] LDAP 
y] Exchange 
= | GroupWise 
Description 
[C] Delimited Text 
O PeopleSoft 
(J spec 
[I sap 
| Cancel | | Help | | < Back | | Next > | | 


You can’t deselect DirXML Schema, which is dimmed. Later, the installation program will 
extend the schema to enable the newly installed driver to function. 


7 Inthe DirXML Upgrade Warning dialog box, click OK. 

8 In the Schema Extension dialog box, type a username and password, then click Next. 
Remember to type in LDAP format, for example: 
cn=admin, o=novell 

9 In the Summary dialog box, review selected options, then click Finish. 


10 In the Installation Complete dialog box, click Close. 
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After installing the driver shim, create and configure a driver object. Do this by completing “Post- 
Installation Tasks” on page 16. 


Post-Installation Tasks 


This section provides information on the following: 
+ “Importing the Driver Configuration File” on page 16 
+ “Configuring the Exchange Server” on page 18 
+ “Installing a Remote Exchange Driver” on page 20 
+ “Configuring the Driver Filter” on page 20 
¢ “Starting the Driver” on page 22 
+ “Migrating and Resynchronizing Data” on page 22 
+ “Activating the Driver” on page 23 


Importing the Driver Configuration File 


The sample Exchange 5.5 driver configuration creates and configures the objects needed to make 
the driver work properly. 


For example, consider the following scenario: 


You create a driver set and driver object in the lab. After configuring the driver, you save the 
configuration. To save time and keep the same settings that worked well in the lab, you import the 
driver’s configuration file from the lab environment into your production environment. 


1 In iManager, select DirXML Utilities > Import Drivers. 
2 Select whether to place the configuration file in a new or existing driver set. 
Select In an Existing Driver Set for the following situations: 
+ The driver should be logically grouped with the other drivers in the tree. 
* The server can handle the additional traffic that would the new driver would generate. 
+ You want to update or customize an existing driver. 


For example, you can point the driver to a different container but keep all the rules that 
you have set up. 


3 In the Import Drivers dialog box, check the Exchange 5 5 driver, then click Next. 


Figure 3 The option to select the Exchange 5 5 driver 


dl Å DirXML Driver for Microsoft Exchange 5.5 


4 Scroll to the following parameters and provide required information. Refer to the descriptions 
provided in the interface. 


+ Driver name 


+ Domain name 
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+ 


+ 


IP address of the Exchange server 
Authoritative Bind 

See "Using Authoritative Bind” on page 33. 
Exchange Server Name 
Exchange Site Organization 
Exchange Site 

Polling Frequency 

Authoritative User 

User Password 

eDir Users Container 

eDir Groups Container 


Configure Data Flow 


Figure 4 Options in the Configure Data Flow drop-down list 


Configure Data Flow: 
[Bi-Directional +] 


Bi-Directional 


Exchange to eDirectory 
eDirectory to Exchange 


<<Back | Next >> 


Enable Entitlements 


Using Role-Based Entitlements is a design decision. Don’t select this option unless you 
have reviewed “Using Role-Based Entitlements” in the Novell Nsure Identity Manager 2 
Administration Guide. 


If you select this option, also provide information for Action - Remove Mailbox 
Entitlement. 


Action - Remove Mailbox Entitlement 
Install Driver as Remote/Local 
Remote Host Name and Port 

Driver Password 


Remote Password 


Define security equivalences. 


The tendency is to assign Admin. However, you might want to create a DriversUser (for 
example) and assign security equivalence to that user. 


Identify all objects that represent Administrative Roles and exclude them from replication. 


Exclude the security-equivalence object (for example, DriversUser) that you specified in Step 
5. If you delete the security-equivalence object, you have removed the rights from the driver. 
Therefore, the driver can’t make changes to eDirectory. 


(Conditional) If you are re-creating or updating a driver, select Update Everything about That 
Driver, then click Next. 


Installing and Configuring the Driver 17 


8 In the Summary screen, review options, then click Finish. 


If you need to make changes, click Back. 


After importing, configure the Driver Set object and the Driver object for your setup, then start or 
restart the driver. 


Configuring the Exchange Server 


This section contains information on configuring the Exchange server for use with the DirXML 
Driver for Exchange. You should already be familiar with Exchange administration and 
deployment. 


Before you proceed, you must have the following information about your setup: 
+ The name of the Exchange Server that the driver will be synchronizing with. 
* The name of the Exchange site you want to administer. 
* The IP address or hostname of the Exchange server. 


* The name of the Exchange service account and its password. 


If the Exchange server is running on the same computer as eDirectory, unload the LDAP server or 
reconfigure it to run on a different port. 


To unload LDAP: 
1 In the Control Panel, double-click Novell eDirectory. 
2 Scroll to and select Idap.dlm, then click Stop. 


Figure 5 nidap.dlm in the Control Panel 


AZ. NT-BM-NDS - Novell eDirectory Services Mile x! 


Services | Transports | ACS Config | Connections | 


ndsimon.dim ¡Monitor for Novell eDirectory Running 


ndssnmp.dim SNMP support for eDirectory Running Autom. Stop | 


niciext. dim Server NICI NCP Handlers Running Autom. 


nidap. dim LDAP Agent for Novell eDirectory 8... Running Autom Startup... | 
nmas. dim Novell Modular Authentication Servi... Running Manua p 

nmasgpxy.dim NMAS Generic Proxy Manue Configure | 
pki. dim Novell Certificate Server Running Autom 


tallcall dim Module Renistration I tility Runnina 


To reconfigure LDAP to run on a different port: 


1 In Novell iManager, select eDirectory Administration > Modify Object. 
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Figure 6 The Modify Object option 


I Modify Object 


Specify the object(s) to modify. 


Select a single object | Select multiple objects | Advanced Seler 


Object name: 


2 Navigate to and select the LDAP Server object, then click OK twice. 


Figure 7 An LDAP Server object 


to. (up one level) 
g NT-BM-NDS 
e NT-BM-NDS-PS 
— ES LDAP Serwer- NT-BM-NDS 


The second time that you click OK, you save the selected object. 


Figure 8 The object name edit box in Modify Object page 


I Modify Object 


Specify the object(s) to modify. 


Select a single object | Select multiple objects | Advanced Sele: 


Object name: 
[LDAP Server - NT-BM-NDS. Servers. Novell GH 


3 In the General page, select Connections, then scroll to the Ports section. 
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Figure 9 The Ports section 


GE DirXML > 


Ports 
M Enable Encrypted Port 
Port: (637 


M Enable Non-Encrypted Port 
Part: 1590 


Restrictions 


OK Cancel | Apply | 


4 Change Enable Non-Encrypted Port to a value other than 389, then click OK. 


If another LDAP service is already using port 389, change the Exchange server's LDAP port 
number so that it doesn’t conflict with the other service. If you change the Exchange server’s 
port number, also change the LDAP port that the DirXML Driver for Exchange looks at. See 
“Specifying the LDAP Port” on page 35. 


Installing a Remote Exchange Driver 


The driver doesn’t need to run on the same machine as the Exchange Server. However, when 
running remotely, the driver can run only on an NT server or member server that belongs to the 
same domain as the Exchange server domain. This restriction is a Microsoft-imposed NT 
credential restriction. 


The NT server where you install the driver needs to have three Microsoft .dll files installed before 
the driver can run: libxds.dll, exchmem.dll, and expsrv.dll. The files are installed by the Exchange 
Administrator program. You can install Exchange Administrator from the Microsoft Exchange 
Server CD. 


A remote driver doesn’t create NT accounts when a new Exchange mailbox is created. This is also 
because of restrictions imposed by the Microsoft DAPI API that the driver uses. 


For instructions on installing the Remote Loader, see “Installation” in the Novell Nsure Identity 
Manager 2 Administration Guide. 
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You should modify the filter on the Publisher and Subscriber channels to include object classes 
and attributes that you want Identity Manager to process. 


1 In iManager, click DirXML Management > Overview. 


2 Locate the driver set that contains the Exchange driver, then click the driver’s icon to display 
the DirXML Driver Overview page. 


3 Click the driver filter icon. 
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Figure 10 The filter icon 


Driver Filter 


4 (Optional) Add classes that you want Identity Manager to process. 
The Exchange driver supports the Distribution List, Remote, and Mailbox classes. 
5 Enable synchronization. 
As the following figure illustrates with red Xs, when you add a class, the Publisher and 


Subscriber channels aren’t enabled. 


Figure 11 Icons for Publisher and Subscriber channels 


Subscriber 
E ae Group channel 
Publisher — ED 
channel Member 
ED Full Name 


To enable a channel, click the channel icon, then click Synchronize. 


Figure 12 The Synchronize button 


a GE Group Publish: 
ED member Ge Synchronize 
GD Full Name år Ignore 


6 Save changes by clicking OK. 


Mail-nickname is the Alias attribute on the General page in the Exchange Administrator. It is the 
Exchange attribute name that the driver supports but does not map to any existing eDirectory 

attributes. Based on your organization’s needs, you can map this Exchange attribute to existing or 
new eDirectory attributes (after extending the schema) by modifying the Schema Mapping policy. 
Make sure that the syntax for any maps you add is valid. You can also handle this in a style sheet. 
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Starting the Driver 


1 In iManager, click DirXML Management > Overview. 
2 Browse to and select the driver set where the driver exists. 


3 Inthe driver that you want to start, click the icon for the drop-down list. 


Figure 13 The icon for the drop-down list 


Start driver 
Get current status 
Exchange 5 4 Edit properties 


Cancel 


4 Select Start Driver. 
After the driver starts, you can open DSTrace to see driver processing details. 


Synchronization takes place on an object-by-object basis as changes are made to individual 
objects. If you want to have an immediate synchronization, you must initiate that process as 
explained in “Migrating and Resynchronizing Data” on page 22. 


Migrating and Resynchronizing Data 
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Identity Manager synchronizes data as it changes. If you want to synchronize all data immediately, 
you can choose from the following options: 


+ Migrate Data from eDirectory: Allows you to select containers or objects you want to 
migrate from eDirectory to an application. When you migrate an object, the DirXML engine 
applies all of the Matching, Placement, and Create policies, as well as the Subscriber filter, to 
the object. 


* Migrate Data into eDirectory: Allows you to define the criteria the DirXML engine uses to 
migrate objects from an application into Novell eDirectory. When you migrate an object, the 
DirXML engine applies all of the Matching, Placement, and Create policies, as well as the 
Publisher filter, to the object. Objects are migrated into eDirectory using the order you specify 
in the Class list. 


+ Synchronize: The DirXML engine looks in the Subscriber class filter and processes all 
objects for those classes. Associated objects are merged. Unassociated objects are processed 
as Add events. 


To use one of the options explained above: 


1 In iManager, select DirXML Management > Overview. 
2 Locate the driver set containing the Exchange driver, then double-click the driver icon. 


3 Click the appropriate migration button. 
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Figure 14 Migration buttons 


$ | (Exchange J 


Export... | Migrate from eDirectory...| Migrate into eDirectory... 


hronize 


Activating the Driver 
Activate the driver within 90 days of installation. Otherwise, the driver will stop working. 


For information on activation, refer to “Activating Novell Identity Manager Products” in the 
Novell Nsure Identity Manager 2 Administration Guide. 


Installing and Configuring the Driver 
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Upgrading 


This section provides information on the following: 
* “Running the Normalize Exchange Associations Utility” on page 25 
+ “Upgrading the Driver Shim” on page 26 
+ “Upgrading the Driver Configuration” on page 27 


Running the Normalize Exchange Associations Utility 


If you are upgrading from the DirXML® Driver 1.0 for Exchange, you need to run the Normalize 
Exchange Associations utility. This utility searches the eDirectory tree and normalizes the 
DirXML Driver for Exchange associations. 


NOTE: If you are upgrading from the 1.0a patch or later, you don't need to run the Normalize Exchange 
Associations utility. 


1 Get the changeAssocKey.zip file from Novell Support. 


2 Create a temporary directory on the NT server where the DirXML Driver for Exchange is 
installed. 


3 Expand changeAssocKey.zip into the directory. 
4 Open the run.bat file and edit the file with these parameters: 


Parameter Value 


Java Driver letter and path for Java*. For example, enter 
C:\Novell\consoleone\1.2\jre\bin\java or D:\Novell\NDS\jre\bin\java 


LDAP address: port The IP address and port number of the eDirectory server. Normally, 
this is localhost:389. 


LDAP Bind ID The LDAP authentication ID. 

LDAP Bind Password The LDAP authentication password. 

Driver Name The name of the Driver object. For example, ExchangeDriver. 
Action Specify one of these desired actions: 


+ 1- Lists eDirectory objects with no association to the driver 
specified above. 


+ 2-Lists eDirectory objects with an incomplete association to the 
driver specified above. 


+ 3- Lists eDirectory objects with associations to be normalized. 


+ 4- Modifies the associations in eDirectory and lists the objects. 
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NOTE: We recommend that you first set the action to 3 so you can see what associations will change 
when you set the action to 4. Then, you can set the action to 4 and run the program again. You don’t 
cause any problems by running the program more than once. If you are concerned about the current state 
of the associations, you can run the utility with the action set to 1 or 2. 


5 Run the run.bat file. 


Upgrading the Driver Shim 
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NOTE: Running an Identity Manager driver configuration with a DirXML 1.x driver shim is not supported. 


When you upgrade, the new driver shim replaces the previous driver shim but keeps the previous 
driver’s configuration. The new driver shim can run the DirXML 1.x configuration with no 
changes. 


1 Make sure you have updated your driver with all the patches for the version you are currently 
running. 


To help minimize upgrade issues, we recommend that you complete this step on all drivers. 
2 Install the new driver shim. 


You can do this at the same time that you install the DirXML engine, or you can do it after 
the engine is installed. See “Installing the Driver Shim for Exchange” on page 14. 


3 After the shim is installed, restart the driver. 
3a In iManager, select DirXML Management > Overview. 
3b Browse to the driver set where the driver exists. 


3c Select the driver that you want to restart, click the status icon, then select Start Driver. 


Figure 15 The icon for the driver’s drop-down list 


Start driver 
Get current status 
Exchange 5 4 Edit properties 


Cancel 


4 Activate the driver shim with your Identity Manager activation credentials. 


For information on activation, see “Activating Novell Identity Manager Products” in the 
Novell Nsure Identity Manager 2 Administration Guide. 


After you install the driver shim, upgrade the driver configuration. See “Upgrading the Driver 
Configuration” on page 27. 
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Upgrading the Driver Configuration 


You can run a DirXML 1.x driver configuration with an Identity Manager 2.0 driver shim and the 
new DirXML engine, with no changes to the driver configuration. 


However, you might want to edit a DirXML 1.x driver configuration. To do this, do one of the 
following: 


+ Use the DirXML 1.x iManager plug-ins. 


See "Managing DirXML 1.x Drivers in an Identity Manager Environment” in the Novell 
Nsure Identity Manager 2 Administration Guide. 


* Run the wizard that converts DirXML 1.x configurations to Identity Manager format so that 
you can use the iManager plug-ins for Identity Manager. 


See “Upgrading a Driver Configuration from DirXML 1.x to Identity Manager Format” in the 
Novell Nsure Identity Manager 2 Administration Guide. 


To take advantage of the features of Identity Manager, do the following: 
* Review the sample configuration provided. 


* See the Novell Nsure Identity Manager 2 Administration Guide for information on new 
features. 
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Customizing the DirXML Driver for Exchange 


This section provides information on the following: 


+ “Integrating the DirXML Driver for Exchange and the DirXML Driver for NT Domain” on 
page 29 


+ “Managing External Recipients” on page 32 

+ “Synchronizing Proxy-Address and Target-Address Attributes” on page 32 
+ “Using Authoritative Bind” on page 33 

+ “Using a Custom Bind” on page 34 

+ “Specifying the LDAP Port” on page 35 


Integrating the DirXML Driver for Exchange and the DirXML Driver 
for NT Domain 


IMPORTANT: If you are using the DirXML Driver for NT Domains and the DirXML Driver for Exchange, edit 
the default policy or create a new one to resolve an account issue between the two drivers. This policy prevents 
the Exchange driver from attempting to create an NT Domains account before the NT Domains driver creates 
the account. 


The DirXML Driver for NT Domain has a User attribute called DirXML-NTAccountName. This 
attribute contains the DomainName/UserName value. The Exchange MailBox object needs the 
value to associate to a domain account. For that association to occur correctly, the value in 
DirXML-NTAccountName needs to be put in the MailBox attribute Assoc-NT-Account. Keep in 
mind that attribute names are case sensitive. 


1 Create a new policy so that a new MailBox object isn’t created unless the DirXML- 
NTAccountName attribute is populated. 


fa In iManager, select DirXML Management > Overview. 


1b Search for the driver set that contains the DirXML Driver for Exchange, then select that 
driver. 


de Select the Creation Policies object on the Subscriber channel. 
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Figure 16 The Creation Policies object 


The Creation Policies object 


1d In the Creation Policies dialog box, click Edit. 


Figure 17 The Creation Policies dialog box 


Creation Policies 


Use this popup to add, delete, edit and reorder your policies. 


FE 


1e Click User Required Attributes. 
Figure 18 The User-Required Attributes check box 


6 Policy Rules 


D E User Required Attributes 


Af In the Actions section, add an action for the DirXML-NTAccountName attribute. 


Click the + icon, then select Veto If Operation Attribute Not Available from the Do drop- 
down list. 


Figure 19 The + icon and Do edit box 


Select DirXML-NTAccountName from the Enter Name drop-down list. 
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Figure 20 The Enter Name edit box 


Actions 


Action List 


Do [veto if operation attribute not available TE 


EEK 


Enter name” [DirxML-NTAccountName [a] 


4g Click OK. 


As the following figure illustrates, the action is placed in the User Required Attributes 


section. 


Figure 21 


Actions in the User-Required Attributes section 


a Policy Rules 


HE User Required Attributes 


sifclass name equal "User" 


Actions 


Actions SS SS RE 
«veto if operation attribute not available(*DirxML-NTAccountName") 


2 Verify that the DirXML-NTAccountName attribute is in the following locations: 


+ The Publisher filter on the DirXML Driver for NT Domains 


+ The Subscriber filter on the DirXML Driver for Exchange 


3 Synchronize the Subscriber channel. 


Figure 22 
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4 Restart both drivers. 


After you have made these changes to the drivers, the following control flow occurs when you 
create a user in eDirectory: 


1. The DirXML Driver for NT Domain is handed a create request. 


2. The DirXML Driver for Exchange Create event is vetoed because of the absence of the 
DirXML-NTAccountName attribute. 


3. The DirXML Driver for NT Domain creates the NT account and publishes the name of the 
NT account just created to the DirXML-NTAccountName attribute. 


4. The DirXML Driver for Exchange is notified. It creates the mailbox and associates the 
mailbox with the NT account information stored in eDirectory. 


NOTE: The examples used DirXxML-NTAccountName as the eDirectory attribute to hold the NT account 
information, but you can choose any attribute that works for you. 


Managing External Recipients 


Microsoft Exchange directories let you create special objects called External Recipients. Think of 
these objects as address book entries that represent recipients in external messaging systems. You 
can modify the Schema Mapping policy so that you can map a remote object to a User object or 
any other desired eDirectory object. For example: 


<class-name> 
<nds-name>User</nds-name> 
<app-name>remote</app-name> 
</class-name> 


If you decide to make this change, you should also add the Internet EMail Address attribute as a 
required attribute to the Create policy as shown in the following example: 


<create-rules> 
<create-rule class-name="User"> 
<required-attr attr-name="Given Name"/> 
</create-rule> 
</create-rules> 


An Internet EMail Address attribute is required to create an External Recipient object in the 
Exchange directory. Failure to add the Internet EMail Address attribute results in an error when 
you try to create an External Recipient. 


Synchronizing Proxy-Address and Target-Address Attributes 
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To synchronize all the e-mail values of the multivalue Proxy-Address and Target-Address 
attributes, add the <proxyFlg/> tag to the driver parameters. 


1 In iManager, click eDirectory Administration > Modify Object. 


2 Locate and select the DirXML Driver for Exchange object (for example, EXCHANGE 5 5), 
then click OK. 


3 Locate the Driver Parameters section at the bottom of the Driver Configuration page, then 
click Edit XML. 


4 Click Enable XML Editing so that you can edit the script. 
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Figure 23 The Enable XML Editing check box 
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XML Editor: 


¿Enable XML editing 


<?xml version="1.0" encoding="UTF-8"?> 

<filter> 
<filter-class class-name="Group" publisher="sync" subscriber 
<filter-attr attr-name="Member" merge-authority="def 


5 Add the <proxyFlg/> tag. 


This tag can go anywhere between the <driver-options> tags. The updated parameters could 
look similar to the following example: 


<driver-options> 
<x-ldap-server display-name="IP address of Exchange Server (for LDAP 
queries):">167.55.135.28</x-ldap-server> 
<x-remote display-name="Remote Exchange Driver? (l=true; 0=false):">0</x-remote> 
<x-server display-name="Exchange Server Name:">DHEAD</x-server> 
<x-site display-name="Exchange Site:">/o=Novell/ou=DOMAINLIMA</x-site> 
<proxyFlg/> 
</driver-options> 


6 Deselect Enable XML Editing, then return to the Driver Parameters section. 
7 Click OK. 


Using Authoritative Bind 


Whenever a query happens with a scope of subordinate or subtree, the driver uses LDAP. In the 
past, only an anonymous bind was possible. When using an anonymous bind, the driver can’t see 
attributes that are hidden in Exchange. 


The new AuthoritativeBind parameter lets you use an authoritative LDAP bind instead of an 
anonymous LDAP bind. This option is one of the prompts when you import the sample driver 
configuration. 


We recommend that you use authoritative bind only in cases where you need to see hidden 
attributes, such as when you want to do matching based on a hidden attribute. 


Keep in mind that when you use authoritative bind, hidden attributes, such as NT4AccountName, 
are seen in the trace. After using authoritative bind for a specific purpose such as migrating users, 
if you no longer need to use authoritative bind, you could change the driver parameters back to 
using anonymous bind. 
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Using a Custom Bind 


You might need to bind to LDAP by using a custom bind. For example, to find hidden objects in 
Exchange, you need to bind as user admin. 


To use a custom bind: 


1 In the Driver Parameters section, click Edit XML. 


Figure 24 The Edit XML button 
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Authoritative Bind: Yes 


2 Click Enable XML Editing. 
3 In the <driver-options> section, add the tags and string that specify a custom bind. 
For example, type 
<hiddenObjectBind>cn=Administrator, dc=DOMAIN, cn=admin<hiddenObjectBind/> 


This example uses the following, which you need to customize in your configuration: 


String Description 
Administrator A user with administrative rights 
DOMAIN The name of your domain 


The following figure illustrates these tags and string: 
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Figure 25 Syntax for a custom bind 


Driver: Exchange 5 5.hraun set. Ymp 
Server: 53K-NDS mp 


XML Editor: M Enable XML editin 


<?xml version="1.0"?> 
<driver-config name="Exchange 5.5"> 
<driver-options> 
<x-ldap-server display-name="Exchange LDAP Server" id="100"></x-ldap-server 
<x-remote display-name="Create NT Security Account O=Yes 1=No" id="101">0</ 
<x-server display-name="Exchange Server" id="102"></x-server> 
<x-site display-name="Exchange Site" id="103">/0=/0u=</x-site> 
<authoritative-bind display-name="Authoritative Bind:" id="104">Yes</author 
— a <hiddendhjectBind>cn=Administrator, dc=DOMAIN, cn=admin</ hiddenObjectBind> 
</driver-options> 
<subscriber-options> 
<x-domain display-name="NT Domain Server" id="106"></x-domain> 
</subscriber-options> 
<publisher-options> 
<x-publishInterval display-name="Polling Interval (seconds)" id="107">10</x 
</publisher-options> 
</driver-config> 


4 Click OK twice. 
The Exchange driver then uses the string in the tag as the user for the bind. 
Also, an additional value to not allow deleted objects is placed in the search filter. 


If this custom tag is present, it overrides the authoritative bind tag. If it isn’t present, the 
authoritative bind takes precedence. If neither tag is present, a non-authoritative bind is used. 


Specifying the LDAP Port 


If you changed the Exchange Server’s port number from the default 389 value, you need to 
configure the DirXML Driver for Exchange, so that it looks at the port that the server users. 


4 In the Driver Parameters section, click Edit XML. 
2 Click Enable XML Editing. 


3 In the <driver-options> section, add the tags (<ldap-port></ldap-port> and value (for 
example, 391) that specify the different port number. 
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Figure 26 Syntax to specify an LDAP port 


Driver: Exchange 5 5.hraun set mp 
Server: 53K-NDS.Ymp 


XML Editor: 


<?xml version="1.0"?> 
<driver-config name="Exchange 5.5"> 
<driver-options> 

<x-ldap-server display-name="Exchange LDAP Server" id="100"></x-ldap-server 
<x-remote display-name="Create NT Security Account O=Yes 1=No" id="101">0</ 
<x-server display-name="Exchange Server" id="102"></x-server> 
<x-site display-name="Exchange Site" id="103">/0=/0u=</x-site> 
<authoritative-bind display-name="iuthoritative Bind:" id="104">Yes</author 


<hiddenObjectBind id="105">cn=idministrator,dc=DOMAIN, cn=admin</hiddenObjec 
—_— a < ]| dap-port>391</ldap-port> 


</driver-options> 


M Enable XML editing 


4 Click OK twice. 
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Troubleshooting the Driver 


This section provides information on the following: 


+ 


+ 


Troubleshooting” on page 37 


"Driver Error Messages” on page 38 


Troubleshooting 


+ 


+ 


Exchange Directory names used in the Placement policy are case-sensitive. 


If Exchange and eDirectory™ are running on the same machine, you must disable the 
eDirectory LDAP server or change the port assignment from port 389. 


If you encounter syntax errors in XML, use the Web browser required by Nsure™ Identity 
Manager to verify the syntax. 


The authentication credentials you specify should be for an NT account/domain that has rights 
to the Exchange Directory. 


CN and Object-Class should not be in the filter. 


If there is an invalid attribute in the filter (for example, one for which Schema Mapping is not 
defined), the following happens: 


+ At each polling loop, the Publisher fails to synchronize the class that contains the invalid 
attribute, and gives an error indicating an unsupported attribute. 


+ The driver is still able to start. 


* The Subscriber channel still functions correctly unless the invalid attribute is referenced. 
A task that references an invalid attribute gives an error and is not successful. 


The sample driver configuration supports the standard attributes in Exchange, so this issue 
could occur only for custom attributes you have added in Exchange. 


The DirXML® Driver for Exchange supports the following classes: 
* Distribution List 
* Remote 


+ Mailbox 
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Driver Error Messages 
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The following is a list of error messages the driver might return: 


+ 


USN Cache Initialized from disk 


This is an informational message printed at the beginning of the driver initialization indicating 
that the driver's last state was read from the disk. 


USN Cache could not be initialized. Most likely reason: 
Insufficient memory. 


The previous driver state was not initialized correctly. This means that the registry or the 
driver configuration file was manipulated by another process. This might happen if you 
accidentally deleted one of the driver configuration files. This results in a loss of event data. 


DAPIStart() failed. Please check the Event Log for details. 
Returned error code = 


This usually suggests that the Exchange Server is down or could not be reached. The NT 
Application Event Log should contain a more detailed description of the error. 


DAPIStart() encountered non fatal error. Please check the Event 
Log for details. Returned error code = 


This error message is returned when a warning was returned by Exchange. The returned 
warning is logged in the NT Application Event Log. 


Call to Import function failed. Likely cause- bad XML or too little 
memory. 


Subscriber Import attempt failed. Please check the NT Event Log 
for details. Returned error code = 


An attempt to write to the Event log did not succeed. 


Subscriber Import attempt encountered non critical error. Please 
check the NT Event Log for details. Returned error code = 


A bad XML document was sent to the driver. Critical error in the 
Subscriber XML document. 


A bad XML document was sent to the driver. The subscriber could 
not process the input node. 


A bad XML document was sent to the driver. An unsupported operation 
type was received. 


A bad XML document was sent to the driver. The operation node could 
not be processed. 


Bad Subscriber filter or Subscriber filter contains an unsupported 
attribute. Please check the Subscriber filter. 


An unsupported attribute was added to the Subscriber filter. Verify the Subscriber filter with 
the list of supported attributes in the file ATTRIBUTES.TXT (located in the 
NT\DIRXML\DRIVERS\EXCHANGE\RULES directory). 


Could not log in to Exchange with the specified credentials. Driver 
will not start. 


The authentication credentials supplied were incorrect. The credentials specified should be 
for an NT account/domain that has rights to the Exchange directory. 
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NT Event handles could not be created. The System could be low on 
memory 


An expected initialization parameter was missing from the 
parameter list. 


One or more of the initialization parameters was missing. Try restarting. If the problem 
persists, try retyping the initialization parameters. 


Could not allocate memory. 


Failed to initialize the base of the USN cache. Driver will not 
start. 
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Documentation Updates 


This section contains information about documentation content changes that have been made in 
this guide. 


The information is grouped according to the date the documentation updates were published. 


The documentation is provided on the Web in two formats: HTML and PDF. The HTML and PDF 
documentation are both kept up-to-date with the documentation changes listed in this section. 


If you need to know whether a copy of the PDF documentation you are using is the most recent, 
the PDF document contains the date it was published in the Legal Notices section immediately 
following the title page. 


The documentation was updated on the following dates: 
+ “March 24, 2004” on page 41 
+ “April 16, 2004” on page 41 
+ “August 3, 2004” on page 41 


March 24, 2004 


* References to DirXML 2.0 have been changed to Identity Manager 2. The engine and drivers 
are still referred to as the DirxXML® engine and DirXML drivers. 


* References to Password Synchronization 2.0 have been changed to Nsure™ Identity Manager 
Password Synchronization. The new Password Synchronization functionality is a feature of 
Identity Manager. It isn’t a separate product. 


April 16, 2004 
The following updates were made in this section: 


Location Change 


“Software Requirements” on Added a statement that the driver supports the Distribution List, 
page 13 Remote, and Mailbox classes. 


Throughout the document Updated information and added graphics. 


August 3, 2004 


The following updates were made in this section: 
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Location Change 


“Using a Custom Bind” on Added this topic. 
page 34 


“Specifying the LDAP Port’ Added this topic, in case you change the LDAP port on the Exchange 
on page 35 server. 
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